CVE-2018-15425 — Improper Input Validation in Cisco Identity Services Engine Software

CWE-20 — Improper Input Validation CWE-502 — Deserialization of Untrusted Data CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

4.7MEDIUMNVD

EPSS

0.3%

top 47.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Identity Services Engine Software Cisco Identity Services Engine

Timeline

PublishedOct 5

Latest updateMay 13

Description

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device with the privileges of the web server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:LExploitability: 1.2 | Impact: 3.4

Affected Packages2 packages

▶NVDcisco/identity_services_engine8 versions+7

▶CVEListV5cisco/cisco_identity_services_engine_softwaren/a

🔴Vulnerability Details

GHSA

GHSA-f3wr-m2wm-39gh: A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute↗2022-05-13

▶

CVEList

Multiple Vulnerabilities in Cisco Identity Services Engine↗2018-10-05

▶

📋Vendor Advisories

Cisco

Multiple Vulnerabilities in Cisco Identity Services Engine↗2018-10-03

▶